JUNE 15, 2023
WASHINGTON, D.C. – U.S. cybersecurity officials warned Thursday that several federal agencies have been hit with a ransomware attack that appears to be part of a widespread and coordinated effort to exploit a vulnerability in widely used software.
The U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, is providing support to the agencies “that have experienced intrusions,” Eric Goldstein, CISA’s executive assistant director for cybersecurity said in a release. The cyberattacks were first reported by CNN.
Goldstein said the intrusions affected the agency’s MOVEit file transfer software, which encrypts files and uses secure File Transfer Protocols (FTPs), automation and analysis to transfer large volumes of data. “We are working urgently to understand impacts and ensure timely remediation.”
It was not immediately clear, CNN reported, if the hackers responsible for breaching the federal agencies were a Russian-speaking ransomware group that has claimed credit for other victims in the hacking campaign.
US ‘working urgently’ on damage assessment
In an evening briefing with reporters, CISA Director Jen Easterly said that based on discussions CISA has had with industry partners in the Joint Cyber Defense Collaborative (JCDC), the intrusions are not being leveraged “to steal specific high value information—in sum, as we understand it, this attack is largely an opportunistic one.”
“In addition, we are not aware of CL0P actors threatening to extort or release any data stolen from U.S. government agencies,” Easterly said, referring to a ransomware gang. “Although we are very concerned about this campaign and working on it with urgency, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks.”
SolarWinds is shorthand for one of the most damaging hacks of U.S. government agencies, which gave Russia the ability to infect or potentially spy on 16,000 computer systems worldwide. Russia was accused of infecting software with malicious code to execute the broad-scope cyber espionage campaign, and it led to broad sanctions against Moscow by the Biden administration after it was discovered in late 2020.
CISA first warned of the CL0P cyberattacks in a joint June 7 advisory with the FBI.
“We are currently providing support to several federal agencies that have experienced intrusions,” Easterly said. “We are working urgently to understand impacts and ensure timely remediation.”
A global wave of cyberattacks
The news was the latest development in recent days about widespread cyberattacks by sophisticated hackers.
The cybersecurity firm Mandiant posted new research and findings Thursday saying that suspected state-backed hackers in China had used a vulnerability in commonly used email security technology, Barracuda ESG appliances, to penetrate the networks of potentially hundreds of public and private sector organizations around the world.
Nearly a third of the victims were foreign ministries and other government agencies, the Mandiant report said.
Charles Carmakal, Mandiant’s chief technical officer, described the current wave of intrusions as “the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021″ that effected thousands of organizations.
“In the (current) Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations,” Carmakal said in a statement provided to USA TODAY. “For a subset of victims, they stole the emails of prominent employees dealing in matters of interest to the Chinese government.”
Ransomware attacks target US government
On Wednesday, CISA and the FBI issued a joint Cybersecurity Advisory (CSA) with recommended steps to protect against what it described as the CL0P Ransomware Gang exploiting the technology vulnerability that breached several federal agencies.
Goldstein said CISA was in close contact with the software maker and the FBI “to understand prevalence within federal agencies and critical infrastructure.” He urged impacted organizations to reach out to CISA via cisa.gov/report or its network of regional cybersecurity representatives.
Bryan Vorndran, assistant director of the FBI’s Cyber Division, urged private sector organizations to implement the recommended steps, and to report suspected cyberattacks to local FBI field offices and CISA.
“While the FBI remains steadfast in our efforts to combat the ransomware threat at large, this is not a fight we can win alone,” Vorndran said.
Also Wednesday, CISA, the FBI and international counterparts issued a separate advisory about ransomware actors using LockBit, which they said was the most globally used and prolific Ransomware-as-a-Service in 2022 and 2023. Financially motivated hackers using LockBit, they warned, “have attacked organizations of various sizes across a wide array of critical infrastructure sectors.”
The advisory, like other CISA warnings, included a host of technical details about the threat and the ways to identify and defend against it.
An international response to cyberattacks
Top cyberofficials from Australia, Canada and the United Kingdom weighed in on the LockBit threat and the international response to it.
“LockBit is one of the most prolific and disruptive ransomware variants, having been used by cybercriminals against multiple sectors and organizations worldwide, including in Australia,” said Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC). “With ransomware variants constantly evolving, this advice can help organizations strengthen and defend their networks.”
William “Hutch” Hutchison, former cyber exercise lead at US Cyber Command, told USA TODAY that the attack on U.S. federal government agencies “exposes the fragile nature of even the most mature institutions.”
“The disruption to daily life for millions around the world and the threat to critical national infrastructure has intensified the need for government-grade cybersecurity in the wake of persistent state-based threats,” said Hutchison, CEO of global cyber firm SimSpace. “If organizations and governments want to survive and succeed in the emerging cyber battleground, investing in cyber-security will be pivotal in negating the deadly reputational and financial disruption that will continue to rock the nation in 2023.”
Hutchison said Mandiant’s revelation underscores the ever-present threat of attacks from China and other countries.
“The U.S. and our strategic allies are more sophisticated in their cybersecurity practices than most emerging nations, but we’ve got a long way to go,” Hutchison said. “It’s not hard to compromise organizations and bring them to their knees.”
Courtesy/Source: This article originally appeared on USA TODAY